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ICO consultation on the draft updated data sharing 
code of practice 


Data sharing brings important benefits to organisations and individuals, 
making our lives easier and helping to deliver efficient services. 


It is important, however, that organisations which share personal data 
have high data protection standards, sharing data in ways that are fair, 
transparent and accountable. We also want organisations to be confident 
when dealing with data sharing matters, so individuals can be confident 
their data has been shared securely and responsibly. 


As required by the Data Protection Act 2018, we are working on updating 
our data sharing code of practice, which was published in 2011. We are 
now seeking your views on the draft updated code. 


The draft updated code explains and advises on changes to data 
protection legislation where these changes are relevant to data sharing. It 
addresses many aspects of the new legislation including transparency, 
lawful bases for processing, the new accountability principle and the 
requirement to record processing activities. 


The draft updated code continues to provide practical guidance in relation 
to data sharing and promotes good practice in the sharing of personal 
data. It also seeks to allay common concerns around data sharing. 


As well as legislative changes, the code deals with technical and other 
developments that have had an impact on data sharing since the 
publication of the last code in 2011. 


Before drafting the code, the Information Commissioner launched a call 
for views in August 2018. You can view a summary of the responses and 
some of the individual responses here. 


If you wish to make any comments not covered by the questions in the 
survey, or you have any general queries about the consultation, please 


email us at datasharingcode@ico.org.uk. 


Please send us your responses by Monday 9 September 2019. 


Privacy Statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public). All responses from organisations 
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and individuals responding in a professional capacity will be published. We 
will remove email addresses and telephone numbers from these 
responses; but apart from this, we will publish them in full. 


For more information about what we do with personal data please see our 
privacy notice. 


Questions 


Note: when commenting, please bear in mind that, on the whole, the 
code does not duplicate the content of existing guidance on particular 
data protection issues, but instead encourages the reader to refer to the 
most up to date guidance on the ICO website. 


Qi Does the updated code adequately explain and advise on the new 
aspects of data protection legislation which are relevant to data 
sharing? 


O Yes 


x] No 


Q2 If not, please specify where improvements could be made. 


We appreciate that this code of practice is made expressly to provide 
GDPR compliant guidance for organisations wishing to share data. 


The draft code does explain and advise on the new aspects of data 
protection legislation which are relevant to data sharing in a way which 
offers practical guidance aswell as useful case studies rather than a 
regurgitation of the legislation. 


However, we are concerned that the common law duty of confidence 
which forms a large part of the discussion for many health and social 
care organisations in the balancing of their duty to protect and share 
data may be lost within the code and this GDPR legislative landscape. 


The duty of confidence is currently mentioned within the draft code at 
p.61: 
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‘a duty of confidence might be stated explicitly, or it might be 
implied, either by the content of the information or because it was 
collected in circumstances where confidentiality is expected, eg 
medical or banking information. If you are a big organisation 
planning to carry out complex, larger scale processing, you should 
consider obtaining legal advice on your data sharing plans’ 


Given the volume of data being shared derived from health and social 
care settings, we feel that the current mention of the duty of confidence 
is hidden away and may escape the attention of many readers. Bearing 
in mind this data is inherently likely to be more sensitive it demands 
much more emphasis. 


Whilst we are aware that detailed guidance on the common law is likely 
outside the scope of this code of practice, we do have a real concern 
that organisations could seek to rely only on this draft code in efforts to 
discharge their legal and ethical duties in sharing data and potentially 
be in breach of the common law. 


This lack of clear referencing to the common law in relation to health 
and social care creates the potential for significant confusion particularly 
as health appears in several of the draft code case studies, including 
one right at the beginning of the document. 


To that end and bearing in mind the substantial nature of the draft code 
of practice, we would encourage and invite a separate document which 
deals specifically with data sharing good practice which seeks to resolve 
the complexities of sharing (health and social care) data in line with the 
GDPR and the common law duty of confidence. 


We note that section 121 of the DPA 2018 states that the commissioner 
must prepare a code of practice which contains - 


(a) practical guidance in relation to the sharing of personal data in 


accordance with the requirements of the data protection 
legislation, and 


(b) such other guidance as the commissioner considers appropriate 
to promote good practice in the sharing of personal data” 


and feel that this suggested separate piece of guidance would fall under 
(b) above. 


(Cross reference response to question 10 below.) 
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Q3 Does the draft code cover the right issues about data sharing? 


O Yes 


x] No 


Q4 ___siIf no, what other issues would you like to be covered in it? 


Clear detailed guidance around pseudonymisation, anonymisation and 
linkage of datasets. 


Clarification around Data Trusts (p85) and whether they are intended 
for use across all data sectors, the NDG is not aware of them having yet 
been piloted or trialled/tested within health and social care settings. 


Q5 Does the draft code contain the right level of detail? 


O Yes 


x] No 


Q6__—siIf no, in what areas should there be more detail within the draft 
code? 


Whilst we appreciate that the intended audiences for the code are 
organisations (larger organisations presumably having the benefit of IG 
Leads or DPOs) and that it would be difficult/impossible to draft a one 
size fits all document; we do note that this is a substantial (both in 
length and detail) 105 page document, excluding all of the ICO website 
linked guidance and external references which does take some getting 
through. 


We hope this does not deter smaller organisations and/or those without 
specialist/dedicated IG staff from using it. 


We would encourage and support an (additional) shorter document 
which sets out only the new aspects for those organisations who are 
already familiar with the previous 2011 data sharing code of practice or 
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a summary of changes section within the document referencing the 
relevant detailed elements. 


Q7 Has the draft code sufficiently addressed new areas or 
developments in data protection that are having an impact on your 
organisation’s data sharing practices? 


O Yes 


x] No 


Q8__siIf no, please specify what areas are not being addressed, or not 
being addressed in enough detail 


(Cross reference response to Question 2 above.) 


Q9 Does the draft code provide enough clarity on good practice in data 
sharing? 


O Yes 


Xx] No 


Q10 If no, please indicate the section(s) of the draft code which could be 
improved, and what can be done to make the section(s) clearer. 
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Whilst the draft code already includes some reference to human rights, 
it would be helpful for the ICO to provide additional guidance on the 
rights, outside of those granted by data protection legislation, that 
organisations need to consider when ensuring their data processing 
takes account of the ‘rights and freedoms’ of data subjects. 


We would welcome the ICO taking into account in particular best 
practice and advice within the health and social care sector as many 
organisations will be using industry guidance currently and it is 
important they receive consistent messages. 


In particular we would welcome guidance which helps reconcile the 
application of GDPR with the application of the common law duty of 
confidence. 


The Local Health and Care Record Exemplar (LHCRE) Programme IG 
Framework which is due to be published September 2019 whilst initially 
mandatory only for LHCRE areas, is regarded by NHSE/I as best 
practice for all health and care organisations as it brings together GDPR 
and common law duties. To this end some clarification around how the 
draft code fits with or mention of the LHCRE IG Framework would be 
useful. 


Q11 Does the draft code strike the right balance between recognising 
the benefits of sharing data and the need to protect it? 


O Yes 


xl No 


Q12 If no, in what way does the draft code fail to strike this balance? 


Whilst generally speaking GDPR and therefore the draft code is in strong 
alignment with the Caldicott principles. We do have one comment. 


The NDG highlighted by way of the introduction of Caldicott Principle 7 
that “the duty to share information can be as important as the duty to 
protect patient confidentiality”. 


The NDG and the Caldicott principles are most relevant to health and 
social care data although they are of wider use. There should not be a 


İCO. 


Information Commissioner's Office 


misreading of this principle to the extent that it becomes commonly 
accepted that the duty to share is always as important. 


We noted that several of the respondees to your call for views relied on 
this principle as support for an ‘obligation’ to share data and quoted 
from the NDG’s 2013 report. 


It remains the central aim of the NDGs work to be the advocate and 
champion of individuals rights in respect of (safeguarding) their data 
and ensure that data sharing is conducted fairly and transparently 
whilst recognising that the reasonable expectations of individuals should 
be considered. 


We are aware that the DPA 2018 and GDPR have led to a focus on the 
minutiae of process and technical legal compliance without always 
looking at what is in the best interests of the individual / data subject. 


To that end we feel that some of the phraseology in the code , 
particularly the phrasing of two of the ‘misconceptions’ in the common 
concerns about data sharing p.13 (‘We Can Only Share Data With 
Peoples Consent’ and ‘We Cant Share Data In An Emergency’) are not 
appropriately balanced to protect individual rights and may appear 
biased for data sharing: 


e.g. ‘usually share’, ‘some cases’, ‘might need to ask for their 
consent’ 


Furthermore, some of the case studies (particularly those centred 
around health care) seem pitched at the benefits of sharing and give 
little sense of the risks. 


Whilst we indeed noted within our review ‘Information: To share Or Not 
To Share? The Information Governance Review 2013 (Caldicott2) that 
‘when it comes to sharing information, a culture of anxiety permeates 
the health and social care sector’, we are concerned that under these 
‘misconceptions’ the attempt to resolve this, has been to simply state 
that information can be shared and easily and that consent is not 
always required rather than setting out a simple balanced user friendly 
tool to follow to quickly conclude whether data should be shared or not. 


We support that the draft code should emphasise the benefits of 
appropriate data sharing as well as the risks which need to be mitigated 
when data is shared and as such there needs to be counter balanced 
messages throughout the document about the importance of 
safequarding data as well as sharing. 
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We believe this to be particularly important in maintaining the publics 
trust around balanced and appropriate data sharing. 


Q13 Does the draft code cover case studies or data sharing scenarios 
relevant to your organisation? 


xX] Yes 


O No 


Q14 Please provide any further comments or suggestions you may have 
about the draft code. 


(Cross reference response to Question 2 above.) 


We support medconfidential’s comment within their response to your 
call for views suggesting a discussion between the ICO and the NDG 
about the definitions and limits of sharing and re-use of clinical data and 
the duty of confidentiality within the NHS and by NHS clinicians. We 
would welcome an opportunity to collaborate with the ICO on a joint 
‘mythbuster’ style document to achieve this. 


The NDG would welcome some horizon scanning / future proofing of the 
code to include case studies which deal with data sharing and data 
protection when data is passed though a digital device or app. 


We would welcome reference being made to the NDG being put ona 
statutory basis within the data ethics section (p87) as a key element in 
maintaining public trust in data sharing. 


Q15 To what extent do you agree that the draft code is clear and easy 
to understand? 


L] Strongly agree 
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Agree 


KX O 


Neither agree nor disagree 


Disagree 


O 0O 


Strongly disagree 


Q1i6 Are you answering as: 


QO An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the public) 


L] An individual acting in a professional capacity 


X On behalf of an organisation 


O Other 


Please specify the name of your organisation: 


The National Data Guardian (NDG) 


Thank you for taking the time to share your views and experience. 


